As everyone knows there's a ton of information out there regarding pen testing. To stimulate some conversation, I'd like to throw out this scenario...

If you were mentoring someone through the OSCP who had minimum pen testing experience and could only give them 1 book (or 1 website reference) as supplemental material for the course, what book/website would you suggest?

My suggestion would be "BackTrack 4: Assuring Security by Penetration Testing". Even though the latest BT release is v5, I still believe this book is extremely relevant for a beginner pen tester.

Not sure I'd lean solely on a BackTrack-specific book, myself, as there is a LOT that can / will be done that isn't solely BackTrack (yes, I know the course is Penetration Testing with BackTrack, but the concepts go beyond the tools in question.)

That said... one book or reference website... (harsh request, as it's such a broad set of topics and info) I could go various ways on this, all dependent on who the person was, that I'm 'mentoring' While they may be limited at pentesting, how technical are they, and what's their background in tech, otherwise.

My reasons are that, whether in the course, or elsewhere, you need to know the basics, how to setup a lab environment to mimic what you're attacking (or for practice.) While it's not all 'specific' to PWB, it covers a lot of the areas you need to be familiar with, and methodologies, for progressing in the field. I could really point to other books, as well, so I'm not singling Thomas's out. You could also look at:

I like the last one, because it gives you more perspective on doing things for yourself, WITHOUT pre-canned tools, after all, you can't really rely on those, much when you take your OSCP exam. Ultimately, if the person was technical enough, I think that it would get my nod as the single book.

As for one website, I think it'd be SecurityTube, if for no other reason than it's rounded videos and topics, that can be quickly referred to, in a pinch (although, again, I could point out others)

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

magicm wrote:If you were mentoring someone through the OSCP who had minimum pen testing experience and could only give them 1 book (or 1 website reference) as supplemental material for the course, what book/website would you suggest?

Not entirely sure this is within the spirit of your question, but with regard to websites, I'd recommend Google. Although , it's thought of just a search engine, it's just an application that's hosted via a website.

Last edited by m0wgli on Fri Sep 28, 2012 5:06 pm, edited 1 time in total.

There is no single book because hacking at OSCP level is not specialized skill but more of test of understanding the bigger picture. You will not study anything too deeply for this course but you will surely have to understand lot many things and their interaction with each other.

I was taking the course, the time expired for me, I will return in a couple of month, but let me tell you:

- Learn something about bash. python and some C- Take any tutorials how the exploits works and try to do some exercises, in the training they explained pretty good, but you need some bases.- Linux (what ever level).

But the most important part, you need experience in the technology (Windows/Linux servers) before to learn how to attack, otherwise you will not get what for are those services, where to go when you get some shell, etc,etc

I not really fan of that BT book I think if you want be in pen testing you have to learn how to use system and pick things up. The book for me is you can find this tool here and here basic step of using it it might be useful for a complete newbi to give them some building blocks on backtrack but I think you can learn more online watching videos.